The Group has in place an internal control system (the “System”), based on the model provided by the COSO Report (Committee of Sponsoring Organizations of the Treadway Commission Report – Enterprise Risk Management model) and the principles of the Dutch Corporate Governance Code, which consists of a set of policies, procedures and organizational structures aimed at identifying, measuring, managing and monitoring the principal risks to which CNH Industrial is exposed. The System is integrated within the organizational and corporate governance framework adopted by CNH Industrial and contributes to the protection of corporate assets, as well as to ensuring the efficiency and effectiveness of business processes, reliability of financial information and compliance with laws, regulations, the Articles of Association and internal procedures.
The System, which has been developed on the basis of international best practices, consists of the following three levels of control:
- Level 1: operating areas, which identify and assess risk and establish specific actions for management of such risk;
- Level 2: central functions responsible for risk control, which define methodologies and instruments for managing risk and monitoring such risk;
- Level 3: internal audit, which conducts independent evaluations of the System in its entirety.
Principal Characteristics of the Internal Control System and Internal Control over Financial Reporting
CNH Industrial has in place a system of risk management and internal control over financial reporting based on the model provided in the COSO Report, according to which the internal control system is defined as a set of rules, procedures and tools designed to provide reasonable assurance of the achievement of corporate objectives. In relation to the financial reporting process, reliability, accuracy, completeness and timeliness of the information contribute to the achievement of such corporate objectives. Risk management is an integral part of the internal control system. A periodic evaluation of the system of internal control over financial reporting is designed to ensure the overall effectiveness of the components of the COSO Framework (control environment, risk assessment, control activities, information and communication, and monitoring) in achieving those objectives. CNH Industrial – which is listed on the NYSE and, consequently, will be subject to Section 404 of the United States Sarbanes-Oxley Act starting from 2014 – has a system of administrative and accounting procedures in place that seeks to ensure a highly reliable system of internal control over financial reporting.
The approach adopted by CNH Industrial for the evaluation, monitoring and continuous updating of the system of internal control over financial reporting, is based on a ‘top-down, risk-based’ process consistent with the COSO Framework. This enables focus on areas of higher risk and/or materiality, where there is risk of significant errors, including those attributable to fraud, in the elements of the financial statements and related documents. The key components of the process are:
- identification and evaluation of the source and probability of significant errors in elements of financial reporting;
- assessment of the adequacy of key controls in enabling ex-ante or ex-post identification of potential misstatements in elements of financial reporting; and
- verification of the operating effectiveness of controls based on the assessment of the risk of misstatement in financial reporting, with testing focused on areas of higher risk.
Identification and evaluation of the risk of misstatements which could have material effects on financial reporting is carried out through a risk assessment process that uses a top-down approach to identify the organizational entities, processes and the related accounts, in addition to specific activities, which could potentially generate significant errors. Under the methodology adopted by CNH Industrial, risks and related controls are associated with the accounting and business processes upon which accounting information is based.
Significant risks identified through the assessment process require definition and evaluation of key controls that address those risks, thereby mitigating the possibility that financial reporting will contain any material misstatements.
In accordance with international best practices, the CNH Industrial Group has two principal types of control in place:
- controls that operate at Group or subsidiary level, such as the delegation of authorities and responsibilities, separation of duties, and assignment of access rights for IT systems; and
- controls that operate at process level, such as authorizations, reconciliations, verification of consistencies, etc. This category includes controls for operating processes, controls for closing processes and cross-sector controls carried out by service providers that are part of Fiat Chrysler Automobiles N.V. These controls can be preventive (i.e., designed to prevent errors or fraud that could result in misstatements in financial reporting) or detective (i.e., designed to reveal errors or fraud that have already occurred). They may also be defined as manual or automatic, such as application-based controls relating to the technical characteristics and configuration of IT systems supporting business activities.
An assessment of the design and operating effectiveness of key controls is carried out through tests performed by dedicated departments at subsidiary level and by the internal audit function, using sampling techniques based on international best practices. The internal audit function also conducts a qualitative review of the tests performed by subsidiary companies.
The assessment of the controls may require the definition of compensating controls and plans for remediation and improvement. The results of monitoring are subject to periodic review by the manager responsible for preparation of CNH Industrial’s financial reporting and communicated to senior management and to the Audit Committee (which in turn reports to the Board of Directors).